North Korean Hacking Group Lazarus Behind $571M in Hacks Since January 2017

North Korean cybercrime hacking group The Lazarus Group is currently the biggest crypto hacking syndicate in the world, having stolen millions worth of cryptocurrencies from online exchanges. Also known as HIDDEN COBRA, which works at the behest of the North Korean government, the Lazarus Group has been responsible for some of the world’s largest cyber attacks including the Sony hack in 2014, the Wannacry ransomware outbreak, military espionage and a number of attacks on South Korean businesses.

In a report acquired by news outlet HardFork, cybersecurity outfit Group-IB outlines trends in hi-tech cybercrime, detailing 14 different attacks on cryptocurrency exchanges since January 2017. It suggests that Lazarus has been responsible for the disappearance of over $571 million in cryptocurrency.

What is most interesting about the data from Group-IB is that a large majority of the targeted exchanges are domiciled in South Korea, such as Bithumb, YouBit and Coinrail.

This data appears to confirm accusations made by a member of South Korea’s parliamentary intelligence committee that the North Korean government has stolen cryptocurrency worth billions of won last year from South Korean exchanges.

Hackers who target cryptocurrency exchanges favor traditional methods and tools such as spear phishing, social engineering and malware. According to the cybersecurity group, hackers were able to steal 10 percent of the total funds raised by initial coin offering (ICO) platforms over the past year and a half, with 50 percent of the funds lost to phishers.

Cybercriminals can create fake web pages, simulating the real project, tricking investors who are desperate to jump in on the next big thing. The report notes that large phishing groups have become so skilled in their craft, they can steal as much as $1 million in a day.

One incident that stands out was the creation of phishing sites for Telegram’s ICO project, which allowed the thieves to scam would-be investors of Telegram’s ICO. Gramtoken.io was the most prominent fake website during that period. It built authenticity by stealing details from Telegram’s white papers, project roadmap and more.

Phishing schemes can also take the form of investor database theft which hackers can resell on the darknet or use to blackmail crypto holders.

While attacks on ICOs might have dwindled in the wake of the clampdown by the U.S. Securities and Exchange Commission, Group-IB believes the previous attacks on ICOs remain a threat for any crypto project that attracts investors. The group also predicts that phishing scams won’t go away anytime soon, but they will become harder to detect as fraudsters unveil new tricks and tools to perpetrate their crimes.

“Fraudulent phishing-schemes involving crypto-brands will only get more complex as well as cybercriminals’ level of preparation for phishing attacks,” the report warns. “Automated phishing and the use of so-called ‘phishing-kits’ will become more widespread, including for the attacks on ICOs.”

The cybersecurity group sees a future where state-sponsored hackers, like the Lazarus Group, could target large mining pools, as 51-percent attacks seem to be on the increase.

“In 2017, no successful 51-percent attacks were detected, but they are now [happening] more often. In the first half of 2018, five successful attacks were registered with direct financial losses ranging from $0.55 million to $18 million,” the report concluded.